b'\x0c\x0c        Federal Communications Commission\n             Office of Inspector General\n\n\n\n\nFY 2004 Federal Information Security Management Act\n    Independent Evaluation and Risk Assessment\n\n\n             Report No. 04-AUD-06-08\n\n\n\n                  September 20, 2004\n\x0c                     TABLE OF CONTENTS\n\n                                                                           Page\n\nEXECUTIVE SUMMARY                                                               3\n\nBACKGROUND                                                                      5\n\nOBJECTIVE                                                                       6\n\nSCOPE                                                                           6\n\nOBSERVATIONS                                                                    8\n\nAPPENDIX A          Summary of Findings                                      A-1\n\n\nAPPENDIX B          Detailed Findings & Recommendations                      B-1\n\n\nAPPENDIX C          Management Response                                      C-1\n\n\n\n\n                                                          Risk & Advisory Services\n                                                                   Washington, DC\n\x0c                                                                Report No. 04-AUD-06-08\n\n\n\n\n EXECUTIVE             The Federal Information Security Management Act (\xe2\x80\x9cFISMA\xe2\x80\x9d or\n                       \xe2\x80\x9cthe Security Act\xe2\x80\x9d) was signed into law on December 17, 2002\n SUMMARY\n                       as Title III, \xe2\x80\x9cInformation Security\xe2\x80\x9d, of the E-Government Act of\n2003. FISMA permanently reauthorized the framework established by the Government\nInformation Security Reform Act (GISRA), which expired in November 2002.\n\nA key provision of FISMA requires that the agency Office of Inspector General (OIG), or\ndesignated independent evaluators, perform an annual review of the agency\xe2\x80\x99s information\nsecurity program and practices. For fiscal year (FY) 2004, the Federal Communications\nCommission\xe2\x80\x99s (\xe2\x80\x9cthe Commission\xe2\x80\x9d or \xe2\x80\x9cFCC\xe2\x80\x9d) OIG engaged KPMG, LLP to conduct its\nindependent evaluation and risk assessment.\n\nThe scope of the review included the security infrastructures managed by the Office of\nManaging Director\xe2\x80\x99s (OMD) Information Technology Center (ITC) and the Auctions\nOperations Branch of the Wireless Telecommunications Bureau (WTB). Our approach\nincluded analyzing documentation, interviewing personnel responsible for the security\nand administration of information resources, and reviewing previously performed audits\nand special reviews. During the review, we also followed up on the status of corrective\nactions for FY 2001 and FY 2002 GISRA findings. Audit fieldwork was conducted from\nMarch 11, 2004 through July 6, 2004 at the FCC\xe2\x80\x99s Portals headquarters located in\nWashington, DC and Laurel Labs in Laurel, Maryland.\n\nThe objective of the current year\xe2\x80\x99s FISMA review was to evaluate the effectiveness of the\nCommission\xe2\x80\x99s information security program. Our review included, but was not limited\nto, security policies, security architecture, business continuity, security capital planning,\ncritical infrastructure, and security program planning and management.\n\nThe framework for our methodology was provided by the \xe2\x80\x9cSelf-Assessment Guide for\nInformation Technology Systems (Self-Assessment Guide)\xe2\x80\x9d issued by the National\nInstitute of Standards and Technology (NIST). As appropriate, guidance prescribed by the\n\xe2\x80\x9cFederal Information System Controls Audit Manual (FISCAM)\xe2\x80\x9d was used. Guidance was\nalso obtained from additional NIST publications, other laws and directives pertaining to the\nprotection of Federal information resources, and agency-specific guidance.\n\nThe Office of Management and Budget\xe2\x80\x99s (OMB) Memoranda M-03-19, entitled\n\xe2\x80\x9cReporting Instructions for the Federal Information Security Management Act and\nUpdated Guidance on Quarterly IT Security Reporting\xe2\x80\x9d was followed to perform and\nreport upon the results of our independent evaluation. The instructions posed several\nquestions regarding high-level management performance measures that were to be\naddressed by Agency Heads, Agency Program Officials, and agency OIGs. A separate\nreport with responses to the questions asked of agency OIGs will be prepared and\nsubmitted with the Commission\xe2\x80\x99s FY 2004 FISMA Submission.\n\n\n                                                                    Information Risk Management\n                                                                                   Washington, DC\n\n                                         Page 3 of 10\n\x0c                                                              Report No. 03-AUD-06-08\n\n\n\nOverall, we determined that the FCC continues to demonstrate dedication to improving\nand maintaining the protection of its information assets. Notably, the Computer Security\nProgram (CSP) has dedicated resources and worked in concert with other groups within\nITC to evaluate and implement controls to strengthen the effectiveness of information\nsecurity. During our evaluation, we noted several positive security controls as well as\nwell as areas where improved controls are recommended.\n\nAppendices A and B to this report provide the details of the observations and conditions\nidentified and reviewed during our FY 2004 independent evaluation and risk assessment.\nRecommendations are provided for consideration by FCC management.\n\nSpecifically, we identified one (1) new finding in the area of operational controls. This\nfinding has been classified as Medium Risk. Additionally, we determined that five (5) of\nthe conditions identified during the FY 2001 GISRA evaluation and three (3) from the\nFY 2002 GISRA evaluation had not been fully corrected at the time of audit fieldwork.\nOf these eight (8) outstanding conditions, three (3) were originally classified as High\nRisk. We did not review the status of outstanding conditions from the FY 2003 FISMA\nreview.\n\nOn August 31, 2004, we provided a draft to the Office of Managing Director (OMD) for\nreview and comments. In its response dated September 17, 2004, OMD indicated\nconcurrence with the one (1) new finding in FY 2004, and seven (7) of the eight (8)\nconditions identified during the FY 2002 and FY 2001 GISRA evaluations. On one\nfinding, no audit follow-up was performed. For all findings, OMD outlined the corrective\naction taken and/or a milestone schedule for implementation of corrective action. We\nhave included a copy of the response from OMD in its entirety as Appendix C to this\nreport.\n\nDue to the sensitive nature of the information contained in the appendices, we have\nmarked them all \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only\xe2\x80\x9d and have limited distribution.\nThose persons receiving this report are requested not to photocopy or otherwise distribute\nthis material.\n\n\n\n\n                                                                         Risk Advisory Services\n                                                                                Washington, DC\n                                         4 of 10\n\x0c                                                              Report No. 03-AUD-06-08\n\n\n\n\n   BACKGROUND                The Federal Information Security Management Act\n                             (\xe2\x80\x9cFISMA\xe2\x80\x9d or \xe2\x80\x9cthe Security Act\xe2\x80\x9d) was signed into law on\nDecember 17, 2002 as Title III, \xe2\x80\x9cInformation Security\xe2\x80\x9d, of the E-Government Act of\n2003. The Security Act permanently reauthorized the framework established by the\nGovernment Information Security Reform Act (GISRA), which expired in November\n2002.\n\nA key provision of FISMA requires that the agency Office of Inspector General (OIG), or\ndesignated independent evaluators, perform an annual evaluation of the agency\xe2\x80\x99s\ninformation security program and practices. For fiscal year (FY) 2004, the Federal\nCommunications Commission\xe2\x80\x99s (\xe2\x80\x9cthe Commission\xe2\x80\x9d or \xe2\x80\x9cFCC\xe2\x80\x9d) OIG engaged KPMG,\nLLP to conduct the agency\xe2\x80\x99s risk assessment and independent evaluation.\n\nThe framework for our methodology was provided by the \xe2\x80\x9cSelf-Assessment Guide for\nInformation Technology Systems (Self-Assessment Guide)\xe2\x80\x9d issued by the National\nInstitute of Standards and Technology (NIST). As appropriate, guidance prescribed by\nthe \xe2\x80\x9cFederal Information Systems Control Audit Manual (FISCAM)\xe2\x80\x9d was used.\nGuidance was also obtained from additional NIST publications, as well as other laws and\ndirectives pertaining to the protection of Federal information resources as listed below,\nincluding agency-specific guidance. The primary guidelines used in the course of this\nreview are as follows:\n\n   \xc2\x84   The E-Government Act of 2002, Public Law 107-347, enacted on December 17,\n       2002\n   \xc2\x84   Presidential Decision Directive (PDD) 63, entitled \xe2\x80\x9cCritical Infrastructure\n       Protection\xe2\x80\x9d\n   \xc2\x84   PDD-67, entitled \xe2\x80\x9cContinuity of Operations Planning (COOP)\xe2\x80\x9d\n   \xc2\x84   Office of Management and Budget (OMB) Circular A-130, entitled \xe2\x80\x9cManagement\n       of Federal Information Resources\xe2\x80\x9d, as revised on November 30, 2000\n   \xc2\x84   OMB M-97-16, entitled \xe2\x80\x9cInformation Technology Architectures\xe2\x80\x9d\n   \xc2\x84   OMB M-97-02, entitled \xe2\x80\x9cFunding Information Systems Investments\xe2\x80\x9d\n   \xc2\x84   Draft FY 04 \xe2\x80\x9cUpdated Reporting Instructions for FISMA and Guidance on\n       Quarterly IT Security Reporting\xe2\x80\x9d\n   \xc2\x84   OMB M-03-19, \xe2\x80\x9cReporting Instructions for the Federal Information Security\n       Management Act and Updated Guidance on Quarterly IT Security Reporting\xe2\x80\x9d\n       (August 6, 2003)\n   \xc2\x84   FCC INST 1479.2 \xe2\x80\x9cComputer Security Program Directive.\xe2\x80\x9d\n   \xc2\x84   NIST Special Publication 800-37, \xe2\x80\x9cGuidelines for the Security Certification and\n       Accreditation of Federal Information Technology Systems\xe2\x80\x9d(October 2002, Draft)\n\nOur procedures were designed to comply with applicable auditing standards and\nguidelines, specifically the Generally Accepted Government Auditing Standards\n(GAGAS).\n\n\n                                                                        Risk Advisory Services\n                                                                               Washington, DC\n                                         5 of 10\n\x0c                                                                Report No. 03-AUD-06-08\n\n\n\n\n OBJECTIVE           Our objective was to evaluate the effectiveness of the\n                     Commission\xe2\x80\x99s information security program by assessing the risk\nfor each component of the program. The specific objectives of the evaluation were to:\n\n   1. Obtain an understanding of the Commission\xe2\x80\x99s Information Technology (IT)\n      infrastructure.\n\n   2. Obtain an understanding of the Commission\xe2\x80\x99s information security program and\n      practices.\n\n   3. Use FISMA security assessment tools to evaluate the effectiveness of the\n      Commission\xe2\x80\x99s information security program.\n\n   4. Prepare the annual submission in accordance with the reporting requirements\n      mandated under FISMA for FY 2004. In addition to preparing the annual\n      submission, provide a detailed report to (1) identify and rank the critical security\n      risk factors and (2) document observations and recommendations for\n      improvements, if any.\n\n   5. Follow-up on audit findings from the FY 2001 and FY 2002 GISRA reviews\n      documented by FCC-OIG report numbers 01-AUD-11-43 and 02-AUD-02-06.\n\nSpecific recommendations, as warranted, have been developed to address any internal\ncontrol deficiencies identified during the conduct of review fieldwork.\n\n\n  SCOPE      The scope of our independent evaluation and risk assessment included the\n             security infrastructures managed by the Office of the Managing Director\xe2\x80\x99s\n (OMD) Information Technology Center (ITC) and the Auctions Operations Branch of\nthe Commission\xe2\x80\x99s Wireless Telecommunications Bureau (WTB).\n\nThe FY 2004 FISMA audit encompassed a review of the Commission\xe2\x80\x99s security program\nincluding, but not limited to, security policies, security architecture, business continuity,\nsecurity capital planning, critical infrastructure, and security program planning and\nmanagement. The review also followed up on the status of corrective actions for FY\n2001 and FY 2002 GISRA findings and an aging analysis of quarterly Plans of Actions\nand Milestones (POA&Ms).\n\nFollow-up on new findings reported by the FY 2003 FISMA review was not included in\nthe current year\xe2\x80\x99s scope of work due to the accelerated start date of this year\xe2\x80\x99s FISMA\nreview in support of the financial statement audit reporting requirements. To provide\n\n\n\n                                                                           Risk Advisory Services\n                                                                                  Washington, DC\n                                           6 of 10\n\x0c                                                                Report No. 03-AUD-06-08\n\n\n\nOMD adequate time to implement corrective actions on FY 2003 findings, follow-up on\nthese will be included in the next year\xe2\x80\x99s FISMA evaluation.\n\nThe Security Act also requires that the OIG select an appropriate subset of agency\napplications for review. Our FY 2003 Audit of Revenue Accounting & Management\nInformation System (RAMIS) Application Controls satisfies this requirement for the\ncurrent year. The results of this audit can be found in OIG Report No. 03-AUD-01-01,\nwhich will be forwarded with the Commission\xe2\x80\x99s FY 2004 FISMA Submission to OMB.\n\nOur observations from the independent evaluation and risk assessment have been\norganized according to the NIST control areas of management, operational, and technical\ncontrols. The control areas are defined below and the specific control techniques\naddressed by each are outlined.\n\n   Management Controls \xe2\x80\x93 Management controls focus on the management of the IT\n   security system and the management of risk for a system. They are techniques and\n   concerns that are normally addressed by management. The specific management\n   control objectives addressed were:\n\n   \xe2\x80\xa2   Risk Management\n   \xe2\x80\xa2   Review of Security Controls\n   \xe2\x80\xa2   Life Cycle\n   \xe2\x80\xa2   Authorize Processing (Certification and Accreditation)\n   \xe2\x80\xa2   System Security Plan\n\n   Operational Controls \xe2\x80\x93 Operational controls address security methods focusing on\n   mechanisms primarily implemented and executed by people (as opposed to systems).\n   These controls are put in place to improve the security of a particular system (or\n   group of systems). They often require technical or specialized expertise and often\n   rely upon management activities as well as technical controls. The specific\n   operational control objectives addressed were:\n\n   \xe2\x80\xa2   Personnel Security\n   \xe2\x80\xa2   Physical and Environmental Protection\n   \xe2\x80\xa2   Production, Input/Output Controls\n   \xe2\x80\xa2   Contingency Planning\n   \xe2\x80\xa2   Hardware and System Software Maintenance\n   \xe2\x80\xa2   Data Integrity\n   \xe2\x80\xa2   Documentation\n   \xe2\x80\xa2   Security Awareness, Training and Education\n   \xe2\x80\xa2   Incident Response Capability\n\n\n\n\n                                                                        Risk Advisory Services\n                                                                               Washington, DC\n                                        7 of 10\n\x0c                                                              Report No. 03-AUD-06-08\n\n\n\n   Technical Controls - Technical controls focus on security controls that the computer\n   system executes. The controls can provide automated protection for unauthorized\n   access or misuse, facilitate detection of security violations, and support security\n   requirements for applications and data. The specific technical operational control\n   objectives addressed were:\n\n   \xe2\x80\xa2    Identification and Authentication\n   \xe2\x80\xa2    Audit Trails\n   \xe2\x80\xa2    Logical Access Controls\n\nEach finding has been further categorized by risk ratings of \xe2\x80\x98High\xe2\x80\x99, \xe2\x80\x98Medium\xe2\x80\x99, or \xe2\x80\x98Low\xe2\x80\x99.\nIn assigning ratings, we considered whether each condition, if exploited, could result in\nmisuse or loss of FCC data, as well as the potential degree of exposure to the\nCommission. Risk categories are defined below:\n\n       High Risk:               A security risk which can cause a business disruption, if\n                                exploited. The identified condition presents a level of\n                                risk that requires immediate and appropriate redress by\n                                FCC management. To not do so would have the potential\n                                effect of increasing the risks of unnecessary system\n                                downtime, misuse, and destruction/exposure of critical\n                                FCC data.\n\n       Medium Risk:             A security risk in conjunction with other events, which\n                                can cause a business disruption, if exploited. It is\n                                important for FCC management to take appropriate\n                                corrective action on these medium-risk security control\n                                conditions in order to protect the integrity, availability,\n                                and confidentiality of FCC data.\n\n       Low Risk:                A security risk which may cause operational annoyances,\n                                if exploited.\n\n\n\n      AUDIT               During our FISMA review we assessed documentation\n  OBSERVATIONS            provided by the Commission, reviewed previously performed\n                          special reviews and audits, conducted interviews of agency\nstaff, and performed other activities of inquiry and observation. Audit fieldwork was\nconducted from March 11, 2004 through July 6, 2004 at the FCC\xe2\x80\x99s Portals headquarters\nlocated in Washington, DC and Laurel Labs in Laurel, Maryland.\n\nIn our determination, the FCC continues to demonstrate a commitment to protecting\nfederal information resources and data of the Commission. During our evaluation, we\n\n\n                                                                         Risk Advisory Services\n                                                                                Washington, DC\n                                            8 of 10\n\x0c                                                                Report No. 03-AUD-06-08\n\n\n\nnoted several positive security controls related to the FCC\xe2\x80\x99s information security program\nand practices:\n\n       \xe2\x80\xa2   Ninety percent (90%) of the Commission\xe2\x80\x99s major applications and general\n           support systems have been certified to operate. By comparison, at the close of\n           FY 2003, eight (8) or 42% of the systems had received an authority to operate\n           (ATO). At the time of our audit, only two (2) systems were awaiting an ATO.\n\n       \xe2\x80\xa2   The ITC\xe2\x80\x99s Disaster Recovery Plan has been finalized and included as\n           Appendix F of the FCC Facilities Continuity of Operations Plan (COOP).\n\n       \xe2\x80\xa2   Neither the ITC nor WTB Auctions Automation Branch experienced\n           computer security incidents due to improperly configured or improperly\n           patched web presence and/or internal infrastructure hosts in FY 2004.\n\n       \xe2\x80\xa2   The FCC has strong controls regarding the back up of critical Commission\n           data, specifically with the dual-redundancy built into the FCC\xe2\x80\x99s Storage Area\n           Network (SAN) environment.\n\n       \xe2\x80\xa2   The CSP regularly communicates computer security information to all FCC\n           users. These communications discuss practices for safeguarding information\n           resources, threats to computer security, and educational topics related to\n           computer security.\n\nWhile the Commission has implemented numerous positive security controls over its\ncomputer resources, we identified an area for improvement. Specifically, the evaluation\nidentified one (1) new finding in the area of operational controls.\n\nBased upon our follow-up on FY 2001 GISRA observations, we determined that\ncorrective actions have not been fully implemented for five (5) findings. Additionally,\nthree (3) findings from the FY 2002 GISRA evaluation were determined to be\nunresolved. Of these eight (8) outstanding conditions, three (3) were originally classified\nas \xe2\x80\x98High\xe2\x80\x99 risk, four (4) as \xe2\x80\x98Medium\xe2\x80\x99 risk, and one (1) as \xe2\x80\x98Low\xe2\x80\x99 risk. We did not review\nthe status of outstanding conditions from the FY 2003 FISMA review.\n\n\nAppendix A provides the Summary of Findings from the FY 2003 FISMA review.\nAppendix B is a report of Detailed Findings and Recommendations, which outlines\ndetailed information on the conditions identified, criteria used to evaluate the condition,\neffect, and recommendation(s). Both appendices identify new conditions that resulted\nfrom the current year\xe2\x80\x99s review as well as conditions from the FY 2001 and FY 2002\nGISRA reviews that were noted with an \xe2\x80\x98open\xe2\x80\x99 status.\n\nOn August 31, 2004, we provided a draft to the Office of Managing Director (OMD) for\n\n\n                                                                           Risk Advisory Services\n                                                                                  Washington, DC\n                                           9 of 10\n\x0c                                                            Report No. 03-AUD-06-08\n\n\n\nreview and comments. In its response dated September 17, 2004, OMD indicated\nconcurrence with the one (1) new finding in FY 2004, and seven (7) of the eight (8)\nconditions identified during the FY 2002 and FY 2001 GISRA evaluations. On one\nfinding, no audit follow-up was performed, due to timing issues. During the FY 2003\nFISMA Review, we noted that COALS was not in compliance with the FCC SDLC\nMethodology. Because to the timing of the FY 2004 FISMA Review, we were unable to\nfollow up with COALS project personnel for a status of the system\xe2\x80\x99s compliance with the\nFCC SDLC Methodology. However, the status will be followed up on during the FY\n2005 FISMA Review. For all findings, OMD outlined the corrective action taken and/or\na milestone schedule for implementation of corrective action. .We have included a copy\nof the response from OMD in its entirety as Appendix C to this report.\n\nThis report contains non-public information. In accordance with the Commission\xe2\x80\x99s\ndirective on the Management of Non-Public Information (FCCINST 1139), we have\nclassified all appendices as \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only.\xe2\x80\x9d Recipients of this\nreport are expected to follow the established policies and procedures for managing and\nsafeguarding the non-public information contained in this report as outlined in FCCINST\n1139.\n\n\n\n\n                                                                       Risk Advisory Services\n                                                                              Washington, DC\n                                        10 of 10\n\x0c'